Skip to main content

Dxp CVE-2022-42122

CRITICAL
SQL Injection (CWE-89)
2022-11-15 cve@mitre.org
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Nov 15, 2022 - 01:15 nvd
CRITICAL 9.8

DescriptionNVD

A SQL injection vulnerability in the Friendly Url module in Liferay Portal 7.3.7, and Liferay DXP 7.3 fix pack 2 through update 4 allows attackers to execute arbitrary SQL commands via a crafted payload injected into the title field of a friendly URL.

AnalysisAI

A SQL injection vulnerability in the Friendly Url module in Liferay Portal 7.3.7, and Liferay DXP 7.3 fix pack 2 through update 4 allows attackers to execute arbitrary SQL commands via a crafted. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Technical ContextAI

This vulnerability is classified as SQL Injection (CWE-89), which allows attackers to execute arbitrary SQL commands against the database. A SQL injection vulnerability in the Friendly Url module in Liferay Portal 7.3.7, and Liferay DXP 7.3 fix pack 2 through update 4 allows attackers to execute arbitrary SQL commands via a crafted payload injected into the title field of a friendly URL. Affected products include: Liferay Dxp, Liferay Liferay Portal.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Use parameterized queries/prepared statements. Never concatenate user input into SQL. Apply least-privilege database permissions.

More in Dxp

View all
CVE-2022-42118 MEDIUM POC
6.1 Nov 15

A Cross-site scripting (XSS) vulnerability in the Portal Search module in Liferay Portal 7.1.0 through 7.4.2, and Lifera

CVE-2022-42120 CRITICAL
9.8 Nov 15

A SQL injection vulnerability in the Fragment module in Liferay Portal 7.3.3 through 7.4.3.16, and Liferay DXP 7.3 befor

CVE-2022-38901 MEDIUM POC
5.4 Oct 19

A Cross-site scripting (XSS) vulnerability in the Document and Media module - file upload functionality in Liferay Digit

CVE-2022-38902 MEDIUM POC
5.4 Oct 13

A Cross-site scripting (XSS) vulnerability in the Blog module - add new topic functionality in Liferay Digital Experienc

CVE-2021-29053 HIGH
8.8 May 17

Multiple SQL injection vulnerabilities in Liferay Portal 7.3.5 and Liferay DXP 7.3 before fix pack 1 allow remote authen

CVE-2022-42121 HIGH
8.8 Nov 15

A SQL injection vulnerability in the Layout module in Liferay Portal 7.1.3 through 7.4.3.4, and Liferay DXP 7.1 before f

CVE-2023-35030 HIGH
8.8 Jun 15

Cross-site request forgery (CSRF) vulnerability in the Layout module's SEO configuration in Liferay Portal 7.4.3.70 thro

CVE-2024-25148 HIGH
8.1 Feb 08

In Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 be

CVE-2021-29047 HIGH
7.5 May 16

The SimpleCaptcha implementation in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.3 before fix pack 1 does not invalidat

CVE-2021-33321 HIGH
7.5 Aug 03

Insecure default configuration in Liferay Portal 6.2.3 through 7.3.2, and Liferay DXP before 7.3, allows remote attacker

CVE-2021-29041 MEDIUM
6.5 May 16

Denial-of-service (DoS) vulnerability in the Multi-Factor Authentication module in Liferay DXP 7.3 before fix pack 1 all

CVE-2022-38512 MEDIUM
6.5 Sep 22

The Translation module in Liferay Portal v7.4.3.12 through v7.4.3.36, and Liferay DXP 7.4 update 8 through 36 does not c

Share

CVE-2022-42122 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy